Dancing in the dark - AI fights the unknown unknowns

Having won a slew of awards in the technology sector for its pioneering cyber security products, Darktrace ignited our curiosity about how different its solutions could be from typical security software. We speak to Mr Sanjay Aurora, its managing director for Asia Pacific on the firm’s use of artificial intelligence (AI) and machine learning to combat cyber threats.

By Chia Wan Fen

Insider threat poses one of the most underestimated yet potentially most damaging cyber risks to organisations, said Mr Aurora. Whether it stems from sheer naivete or malicious intent of the employee, the threat from the ‘inside’ often goes unnoticed as security teams tend not to be focused on it and do not monitor all employee activity or devices.

Moreover, an organisation’s enterprise network today is much more complex, porous and interconnected to others than in the past. With the rise in sophistication of adversaries’ methods to bypass traditional security tools, the legacy approach to secure perimeter and endpoints of a network—using rules and signatures to keep pre-identified threats out of it—has failed to protect companies adequately. For example, adversaries can beat the perimeters just once and, upon entering the network, move undetected for a long time until they find what interests them.

“Traditional tools are still necessary in going after known issues. But now we have to go after the unusual, and ‘unknown unknowns’ which we don’t always have visibility of,” said Mr Aurora. “If you can’t stop the adversary with 50 people on the border, you can’t stop it with 500 either. How you use technology and discover threats from an inside-out perspective is how the cyber defence landscape will change.”

A ‘pattern of life’

And that is the problem statement that the ‘Enterprise Immune System’ (EIS) technology provided by Darktrace has solved, he said. The EIS uses artificial intelligence (AI) algorithms and machine learning that mimic the human immune system to detect and respond to cyber threats the way humans do viruses. Even if the threats are perpetually changing, the unsupervised, self-learning capabilities of the platform mean it can guard against new threats that the ‘body’ has never experienced and automatically adapt to it.

The technology, created by University of Cambridge mathematicians who founded the firm in 2013 with experts from intelligence agencies, works by analysing network traffic and learning a ‘pattern of life’ for every network, device and user and identifying deviations from normal activity.

Darktrace’s clients have adopted EIS for the two main kinds of threats. One is what Mr Aurora describes as ‘low and slow’ bespoke attacks which should be found early, as they can come through any device and snoop around the network for information like intellectual property. The other type of attacks are fast-moving, such as ransomware where human beings cannot respond as fast as autonomous responses. “We are seeing customers adopt the EIS in both scenarios,” he said.

AI vs the CIO/CISO

The EIS platform’s accessibility without the requirement of configuration enables its deployment across a wide range of clients, sectors and countries with varying levels of development. Entities range from SMEs and MNCs to large government organisations and small government-linked agencies.

From being clients of Darktrace, Mr Aurora has observed that insurance companies are now looking at how they can deploy its technology to their own customer bases. With the rising trend of M&A and consolidation, they see the technology as being able to help them gain end to end visibility in their supply chain, he said.

Given that Darktrace’s platform is generally self-running, one question which arises is the implication of such a technology on the role of the CIO or CISO, who is traditionally responsible for threat monitoring. Mr Aurora is of the view that the role of AI is complementary, as it can help augment the work done by human security teams.

“Security teams are now in two areas – one being traditional firefighters, understanding and mitigating risks, while the other is a team of discoverers, using technology like ours to connect the dots to say: if this is happening in this part of my network, and that in the other, it means there’s something we need to change,” he said. “So machine learning and AI do the heavy lifting, while CIO/CISOs put on their contextual hat to mitigate and formulate policies.”

What’s next after AI?

Asked whether there is another frontier beyond AI — given that the holy grail of tech advancements seems to lie there nowadays for many technology domains, not just security – and Mr Aurora acknowledges that it is hard to predict how cybersecurity will develop from here. After all, the adversaries’ methods are advancing in tandem with each industry solution that emerges and they are increasingly well-funded.

On the related question of what still keeps him up at night – if one makes the assumption that Darktrace’s AI solution may just be the zenith of cybersecurity available now – it is the use of AI by the adversaries. Mr Aurora noted that there could be widespread negative impacts, if AI is used successfully to attack certain key areas.

“Taking control of mission-critical infrastructure in a passive or active manner thus disrupting essential services, or social engineering, like creating fake news which causes people to lose trust and triggering social unrest — these are new areas of cyber risk that we are grappling with,” he said. “We can’t even perceive that kind of damage.”

The bad guys could enter networks and do nothing but read emails and understand how the organisations and employees work, gathering intelligence over a long time before carrying out a completely new form of attack.

“We’ve already seen early symptoms of adversaries using AI. They are well funded, well motivated and well resourced. We’re heading towards a cyber arms race with them.”A